Autofill - the next vulnerability?
Security Researcher Viljami Kuosmanen has posted a proof of concept of a new type of security vulnerability - Browser Autofill Phishing, which has us all astounded at A. how easy it is to pull off, and B. why we hadn't thought of it first.
You can check out a demonstration here:
As well as his github POC, https://github.com/anttiviljami/browser-autofill-phishing
So what is it and how does it affect us?
In our increasingly mobile world, where filling in web forms is a daily chore and difficult to do on the mobile keypad, mobile browsers has taken on the task of automatically filling in your contact details once they realize that you are trying to fill in a form. They do so with data you already have used a few times before: your name, your address, your phone number. Implicit in the automatic filling of these forms is that you consent to the website having this information on you, and in any case, you can see the form and the data before you click on "Submit", and are fully able to delete or alter anything you want to. This feature has proven so popular that it has overflowed to desktop browsers, and in many cases, is tied to your cloud account so that these forms can be filled automatically, no matter where you are logged in from.
But what happens when you do not consent to the website having your information? Then you just delete off the relevant field or change it. But again, what is the field is hidden? Then you would have submitted content without your knowledge or consent. And here is the key issue - the tool of your convenience has been turned against you to provide more content than you would have been comfortable sharing.
Plenty of suggestions float about on how to fix our favorite browsers so that we can enjoy the use of autofill and not worry about autofill phishing. For the time being, the best I can think of is to clear off your saved form data, and use private browsing when submitting web forms.